US10320835B1ActiveUtility
Detecting malware on mobile devices
Est. expiryJun 21, 2030(~3.9 yrs left)· nominal 20-yr term from priority
G06F 21/562G06F 2221/033H04L 63/1416H04L 63/145H04L 63/20H04W 12/128G06F 21/51G06F 21/57G06F 21/56
68
PatentIndex Score
1
Cited by
154
References
30
Claims
Abstract
In one example, a mobile device includes a network interface configured to receive data for an application including a set of application permissions describing elements of the mobile device to which the application will have access upon installation of the application, and a processing unit configured to determine a type for the application and, based on an analysis of the set of application permissions and the type for the application, determine whether the application includes malware.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A security method for enforcing policies of an enterprise network comprising:
operating, by an enterprise administrator, an enterprise management console to manage a policy set of the enterprise network;
operating, on a data processor of a mobile network device seeking to access services from the enterprise network, a detection module for analyzing a target application of the mobile network device, wherein operation of the detection module comprises:
determining, by a permission management module, of the detection module, an application type of the target application;
determining, by the permission management module, a set of application permissions of the target application; and,
determining, by the permission management module, whether at least one of the set of application permissions of the target application is considered one of prohibited and concerning according to the policy set of the enterprise network; and,
performing, by a threat management module, of the detection module, a mitigation action responsive to the permission management module determining that at least one application permission of the target application is one of permitted, concerning and not permitted according to the policy set of the enterprise network.
2. The method of claim 1 wherein the step of performing the mitigation action comprises generating an alert by an alert generating module operated by the threat management module.
3. The method of claim 2 wherein the step of generating the alert comprises transmitting the alert to the enterprise management console.
4. The method of claim 3 further comprising the step of, responsive to transmitting the alert to the enterprise management console, receiving from the enterprise management console, an indication, by the enterprise administrator whether one or more concerning application permissions is permitted.
5. The method of claim 2 wherein the mobile network device includes a display device and the step of generating the alert further comprises; displaying on the display device information to identify the target application, and information to identify one or more application permissions of the target application.
6. The method of claim 2 wherein the mobile network device includes a touch screen display device and the step of generating the alert further comprises;
displaying on the touch screen display device a warning to indicate that a permission of the target application is one of concerning and not permitted; and,
displaying on the touch screen a first selectable option button selectable to ignore the warning; and,
displaying on the touch screen a second selectable option button selectable to take an action to one of delete and quarantine the target application.
7. The method of claim 1 wherein mobile network device includes a plurality of applications installed thereon further comprising the steps of:
determining, by the permissions management module, an application type of each of the plurality of applications installed on the mobile network device;
determining, by the permissions management module, a set of application permissions for each of the plurality of applications installed on the mobile network device;
determining, by the permission management module, for each of the plurality of applications installed on the mobile network device, whether the set of application permissions for each of the plurality of applications includes at least one application permission is one of concerning and not permitted according to the policy set; and,
performing by the threat management module, a mitigation action responsive to the permission management module determining that at least one application permission is one of concerning and not permitted according to the policy set.
8. The method of claim 7 wherein the step of performing the mitigation action comprises generating an alert by an alert generating module operated by the threat management module.
9. The method of claim 8 wherein the step of generating the alert comprises transmitting the alert to the enterprise management console.
10. The method of claim 9 further comprising the step of responsive to transmitting the alert to the enterprise management console, receiving, by the threat management module, from the enterprise console, by the enterprise administrator, an indication, whether one or more concerning application permissions is permitted.
11. The method of claim 8 wherein the mobile network device includes a display device and the step of generating the alert further comprises:
displaying, on the display device, an alert wherein the alert indicates that at least one of the plurality of applications installed on the mobile network device includes at least one application permission that is one of concerning and not permitted and further identifies each of the plurality of applications that includes at least one application permission that is one of concerning and not permitted.
12. The method of claim 8 wherein the mobile network device includes a touch screen display device and the step of generating the alert further comprises:
displaying on the touch screen display device a warning to indicate that a permission of at least one of the plurality of applications installed on the mobile network device is concerning;
displaying on the touch screen an identity of each of the plurality of applications that includes at least one of a concerning and a not permitted application permission; and,
displaying on the touch screen a selectable option button selectable to uninstall one or more of the plurality of applications that includes at least one not permitted application permission.
13. The method of claim 1 wherein the detection module for analyzing the target application is operable to analyze the target application without installing the target application onto the mobile network device.
14. The method of claim 1 wherein the target application is selected from an application market further comprising the steps of:
analyzing, by the detection module, the target application selected from the application market, prior to downloading the target application from the application market to the mobile network device.
15. The method of claim 1 wherein the target application is selected from an application market further comprising the steps of: analyzing, by the detection module, the target application selected from the application market after downloading the target application from the application market to the mobile network device and before installing the target application onto the processor of the mobile network device.
16. The method of claim 1 further comprising: operating a wireless network interface device in communication with the processor of the mobile network device wherein communication between the mobile network device and the enterprise network is at least in part over a radio access network.
17. The method of claim 1 further comprising: operating a wired network interface device in communication with the processor of the mobile network device wherein communication between the mobile network device and the enterprise network is at least in part over a network switch.
18. The method of claim 1 further comprising steps of; downloading the detection module from one of a threat analysis center and an application market that are separate from the enterprise network; and, installing the detection module onto the mobile network device prior to gaining access to the enterprise network.
19. The method of claim 18 further comprising receiving by the detection module from one of the threat analysis center and the application market, periodic updates to the permissions management module.
20. The method of claim 1 further comprising receiving by the detection module from any one of the threat analysis center, the application market, and the enterprise management console, periodic updates to the permissions management module.
21. A method comprising:
receiving, by a detection module, operating on a data processor of a network device, a list of expected application permissions for each of a plurality of different application types;
storing, on a memory module in communication with the data processor of the network device, the list of expected application permissions for each different application type;
determining, by a permission management module, of the detection module, an application type for each of one or more target applications of the network device;
extracting by the permissions management module, from each of the one or more target applications, a set of extracted application permissions;
comparing, by the permissions management module, the set of extracted application permissions with the list of expected application permissions for the application type that is matched with the application type of the target application;
determining, by the permissions management module, whether one or more of the extracted application permissions is not included in the expected application permissions for the application type that is matched with the application type of the target application; and,
if not, performing, by a threat management module of the detection module, a mitigation action responsive to the permission management module determining that one or more of the extracted application permissions is not included in the expected application permissions for the application type that is matched with the application type of the target application.
22. The method of claim 21 wherein the list of expected application permissions for each of a plurality of different application types is received from an application threat analysis center not associated with the enterprise network.
23. The method of claim 21 wherein the step of performing the mitigation action comprises generating an alert by an alert generating module operated by the threat management module.
24. The method of claim 23 further comprising:
operating, by an enterprise administrator, an enterprise management console to manage a policy set of the enterprise network;
wherein the step of generating the alert comprises transmitting the alert to the enterprise management console.
25. The method of claim 24 further comprising the step of,
responsive to transmitting the alert to the enterprise management console, receiving, by the detection module, from the enterprise management console, an indication, by the enterprise administrator, whether any one of the one or more of the extracted application permissions that is not included in the expected application permissions for the application type is permissible according to the policy set.
26. The method of claim 21 wherein the detection module for analyzing the target application is operable to analyze the target application without installing the target application onto the network device.
27. The method of claim 21 wherein the target application is selected from an application market further comprising the steps of:
analyzing, by the detection module, the target application selected from the application market, prior to downloading the target application from the application market to the mobile network device.
28. The method of claim 21 wherein the target application is selected from an application market further comprising the steps of:
analyzing, by the detection module, the target application selected from the application market after downloading the target application from the application market to the network device and before installing the target application onto the processor of the network device.
29. The method of claim 1 further comprising:
operating a wireless network interface device in communication with the data processor of the network device wherein communication between the network device and the enterprise network is at least in part over a radio access network.
30. The method of claim 1 further comprising:
operating a wired network interface device in communication with the data processor of the network device wherein communication between the network device and the enterprise network is at least in part over a network switch.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.